Chrome 80.0.3987.116

Sometimes when Google releases a new version of Chrome, the release announcement doesn’t mention any security fixes. That’s intentional:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

Chrome 80.0.3987.116 was announced on February 18, but the initial announcement didn’t include any mention of five security vulnerabilities that were fixed in that version. Those details were added a few days later.

Three of the vulnerabilities addressed in Chrome 80.0.3987.116 were reported to Google by third party security researchers.

To check your current version of Chrome, click its menu button (three vertical dots) and navigate to Help > About Google Chrome. If a newer version is available, you should see a button or link that allows you to install it.

Firefox 73.0

There’s another new version of Firefox: 73.0. Despite the major version bump, there are no big changes. However, it’s an important update, because it addresses several security vulnerabilities. There are also fixes for a few long-standing annoyances.

According to the security advisory for Firefox 73.0, six security bugs are addressed in the new version. None of them are flagged as having Critical impact, but they all look nasty.

Firefox’s page zoom feature is very handy for viewing web sites with unfortunate font size choices. It’s not new: Firefox has had this feature for years. What is new is that you can now set a global zoom level, which seems likely to be useful for folks with impaired vision.

To zoom the page you’re looking at, hold down the Ctrl key and move your mouse’s scroll wheel up and down. To change the global zoom level, click Firefox’s menu button, and select Options. In the General section, change the Default Zoom setting.

Firefox now shows web page background images with a border when Windows is configured to use high contrast mode. Previously, background images were disabled in high contrast mode.

Firefox will now only prompt to save login credentials if at least one form element has been changed.

To see which version of Firefox you’re using, navigate its menu to Help > About Firefox. If a newer version is available, you should see a button or link to install the update.

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...

Microsoft news: all bad today

The hits just keep on coming for Microsoft. I suppose it’s inevitable that a company as large as Microsoft will make mistakes, but when their products reach into our lives as thoroughly as Microsoft’s, those mistakes can lead to major disasters.

Global Windows 10 search failures

A huge proportion of Windows 10 users worldwide lost the ability to search their own computers recently. According to Microsoft, the problem stemmed from a glitch on a Microsoft server. Exactly why local search should be affected by some mysterious remote Microsoft server is yet to be explained.

In reality, search in Windows has been variously broken since Vista. I discovered a particularly horrible search bug in that garbage dump of an O/S soon after it was released, and was eventually able to convince Microsoft that it was a real problem; a fix soon followed. But even that didn’t fix all of Windows search’s problems; getting it to find all your files in all their locations was — and continues to be — a never-ending, and ultimately ineffective, exercise.

That’s why most people who need a search function that’s actually useful have long since switched to third party software, such as the excellent, fast, accurate, and free Fileseek. There’s also the blazingly fast (and also free) Everything. Both of these work perfectly out of the box, requiring no special setup to be useful, unlike Windows’ built-in search.

Still, many people assume that the Windows search feature is adequate, and never switch to anything else. Those people discovered the recent problem the hard way, when the already basically worthless search stopped working completely. Those people are understandably angry.

Implicit trust of driver software is a gaping security hole in Windows

Malicious folks have discovered yet another way to fool Windows into executing code that it shouldn’t. The new technique takes advantage of the fact that Windows implicitly trusts drivers. A driver is a small piece of software that connects Windows with hardware, allowing that hardware to be used by the O/S.

In this case, a specific driver that contains a serious security vulnerability — but is neverthless trusted by Windows — was used by hackers to deploy ransomware to affected systems.

There’s no word from Microsoft on how they intend to deal with this glaring hole in Windows security.

A treasure trove of illicit data awaits the buyer of corp.com, thanks to Microsoft

Decisions made by Microsoft years ago are poised to create massive problems for many business and educational customers worldwide. When the person who owns the generic corp.com domain sells it, the new owner will be able to gather credentials and other supposedly private data from Windows computers that assume they are communicating with internal systems.

The problem stems from an ill-considered decision to use corp.com as a default setting and in documentation provided by Microsoft. Server administrators who didn’t change that default are now faced with a huge task that involves bringing down entire networks and possibly creating new problems.

Microsoft has known about this problem for years, and their advice to customers is basically “you shouldn’t have used the defaults”. Thanks for nothing, Microsoft.

Chrome 80.0.3987.87

The latest release of Google’s Chrome web browser, announced on February 4, includes fifty-six security fixes. As usual, details on all of the related vulnerabilities will not be released until a majority of users are updated with a fix.

The full change log for Chrome 80.0.3987.87 is a whopper, with over sixteen thousand changes in all. A little light reading for anyone with a few hours to spare. But hey, at this point if you don’t trust Google you probably shouldn’t be using Chrome. In the same way that you shouldn’t be using Windows 10 if you don’t trust Microsoft.

Chrome updates itself on its own mysterious schedule, unless you’ve taken extreme (and continuous) measures to prevent it. You can find out which version you’re running by navigating Chrome’s menu (hidden behind the three-vertical-dots menu button at the top right) to Help > About Google Chrome. If a newer version is available, you should see a button or link to install it.

Microsoft news: the good, the bad, and the spiteful

The Good

Windows 7 support ended earlier this month, and with it any hope of fixing newly-discovered security vulnerabilities. Or did it? Microsoft recently discovered a problem with an update, released in Novemeber 2019, that is causing problems with desktop wallpaper on Windows 7 computers. This isn’t a security issue, but it probably affects thousands of users, and Microsoft has now released a special update that fixes the wallpaper problem. You can get the update via Windows Update on Windows 7 computers.

The Bad

Microsoft’s plans for expanding advertising in Windows 10 continue, albeit very slowly. The latest change is in Windows 10’s default rich text editor, Wordpad. When you run Wordpad, you’ll see an advertisement for Microsoft Office. It’s not much, and many users will never see it, but I’m reminded of the proverbial frog in steadily-warming water.

The Spiteful

Microsoft’s shenanigans with Google show no signs of slowing down. Both companies have engaged in questionable behaviour in trying to promote their software and services. The latest shot from Microsoft is particularly annoying: when Office 365 updates itself — a process that is both frequent and difficult to control — it will look for an installation of Google’s Chrome web browser, and change its default search engine to Bing.

Microsoft has a history of inappropriately reverting settings during updates, which is annoying enough, but this is excessive and downright spiteful, in my opinion. Microsoft, please play out your differences with Google in a way that doesn’t annoy millions of users.

Update 2020Feb11: Microsoft relented, and won’t be switching Windows 10 searches to use Bing during Office 365 updates. I guess they realized that they didn’t need yet another public relations disaster.

Java 8 Update 241 (8u241)

Oracle’s Critical Patch Update Advisory for January 2020 documents twelve security vulnerabilities in Java 8 Update 231 and earlier versions.

Java 8 Update 241 was released to address those vulnerabilities. The release notes page for Java 8 lists notable changes in Java 8 Update 241.

These days the only mainstream web browser that still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, keeping Java up to date is critical.

But even if you don’t use IE with Java, if Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure, look for a Java entry in the Windows Control Panel. Open it and click the About button on the General tab to check the installed version. If it’s not up to date, go to the Update tab and click the Update Now button.

Patch Tuesday for January 2020; end of support for Windows 7

The first Patch Tuesday for 2020 arrives with the long-planned but still inconvenient end of meaningful support for Windows 7.

The venerable Windows 7 still runs on about a quarter of all PCs worldwide. Sticking with Windows 7 was — and continues to be — a conscious decision for many users, made because Windows 8 and 10 were problematic for a variety of reasons.

Microsoft killed support for Windows XP on April 8, 2014, but still released updates for that O/S on a couple of occasions when a security vulnerability was so severe that it seemed likely to cause massive problems if unpatched. Microsoft will probably do the same thing for Windows 7, but it’s not a good idea to rely on the goodwill of any large corporation.

So, if you’re running Windows 7, what should you do? You can upgrade to Windows 8.1, which will buy you some time, until its support ends on January 10, 2023. Or you can stop resisting and make the move to Windows 10. Many of the initial problems with — and objections to — Windows 10 have now been addressed, making it somewhat less unpalatable. Microsoft offers additional guidance on the Windows 7 support ended on January 14, 2020 page on the Microsoft support site.

Another sensible option would be to switch to Linux. There are now Linux distributions that feel a lot like Windows, which can ease the transition. The main problem is software. But even if the software you use has no Linux version, you can still run an older version of Windows in a virtual machine on your Linux computer. That’s not too helpful for high-end games, however.

Back to our regularly scheduled updates…

There are thirty-nine updates (and associated bulletins) from Microsoft this month, addressing fifty vulnerabilities in Windows, .NET, Internet Explorer, and Office. Eight of the updates are flagged with Critical severity.

Although there are other ways to obtain the updates, by far the simplest method is to use Windows Update, which is found in the Windows 10 settings, or the Control Panel in older versions.

Update 2020Jan15: One of the vulnerabilities addressed in yesterday’s updates was reported to Microsoft by the NSA. While there’s disagreement about the seriousness of the vulnerability, this is notable in that the NSA previously wasn’t interested in sharing its discovered vulnerabilities. Lack of NSA cooperation led to the WannaCry ransomware nightmare in 2017. Brian Krebs has more.

While it’s generally a good idea to cross your fingers and install all available Microsoft updates, or at least allow them to be installed automatically, some Windows 10 users have grown wary of updates, and configured Windows Updates to be delayed. The actual risk from this vulnerability is mostly for Windows Server 2016 computers that are exposed to the Internet, and Windows 10 computers normally used by people with administrator permissions.

Update 2020Jan17: There’s more useful information about the NSA-reported vulnerability from Ars Technica, and SANS. SANS has created a web page and download that you can use to test your computers for this vulnerability.

Firefox 72.0 and 72.0.1

Security fixes and some welcome changes to notifications and tracking protection were released in the form of Firefox 72.0 on January 7. Firefox 72.0.1 followed the next day, adding one more security fix.

Site notifications are those annoying messages that pop up when you’re browsing web sites, asking — somewhat ironically — whether you want to see notifications for that site. You can still choose to see those, but now Firefox lets you suppress them. To control notifications, navigate Firefox’s Settings to Privacy & Security > Permissions, then click on the Settings button next to Notifications.

Firefox’s already helpful tracking protections were enhanced in version 72 with the addition of fingerprint script blocking. Fingerprinting is a technique used by many companies to better understand you and your online behaviour. While arguably harmless (it’s mostly about providing better ad targeting) fingerprinting is also creepy and a privacy concern. By default, Firefox now blocks scripts that are known to be involved.

Current versions of Firefox default to updating themselves automatically, but you can check for available updates by navigating Firefox’s menu to Help > About Firefox.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.